Install, link, and update certificates 编辑

To install a certificate, see Add or update a certificate-key pair.

Link certificates

Many server certificates are signed by multiple hierarchical Certificate Authorities (CA), which means that the certificates form a chain like the following:

Sometimes, the Intermediate CA is split into a primary and secondary intermediate CA certificate. Then the certificates form a chain like the following:

Client machines usually contain the root CA certificate in their local certificate store, but not one or more intermediate CA certificates. The ADC appliance must send one or more intermediate CA certificates to the clients.

Note: The appliance must not send the root CA certificate to the client. The Public Key Infrastructure (PKI) trust relationship model requires root CA certificates to be installed on clients through an out-of-band method. For example, the certificates are included with the operating system or web browser. The client ignores a root CA certificate sent by the appliance.

Sometimes, an intermediate CA that standard web browsers do not recognize as a trusted CA, issues the server certificate. In this case, one or more CA certificates must be sent to the client with the server’s own certificate. Otherwise, the browser terminates the SSL session because it fails to authenticate the server certificate.

Video link to How do I link an intermediate authority certificate.

Refer to the following sections to add the server and intermediate certificates:

• Manual certificate linking
• Automated certificate linking
• Create a chain of certificates

Manual certificate linking

Note: This feature is not supported on the Citrix ADC FIPS platform and in a cluster setup.

Instead of adding and linking individual certificates, you can now group a server certificate and up to nine intermediate certificates in a single file. You can specify the file’s name when adding a certificate-key pair. Before you do so, make sure that the following prerequisites are met.

• The certificates in the file are in the following order:
  • Server certificate (must be the first certificate in the file)
  • Optionally, a server key
  • Intermediate certificate 1 (ic1)
  • Intermediate certificate 2 (ic2)
  • Intermediate certificate 3 (ic3), and so on Note: Intermediate certificate files are created for each intermediate certificate with the name “<certificatebundlename>.pem_ic< n>” where n is between 1 and 9. For example, bundle.pem_ic1, where bundle is the name of the certificate set and ic1 is the first intermediate certificate in the set.
• Bundle option is selected.
• No more than nine intermediate certificates are present in the file.

The file is parsed and the server certificate, intermediate certificates, and server key (if present) are identified. First, the server certificate and key are added. Then, the intermediate certificates are added, in the order in which they were added to the file, and linked accordingly.

An error is reported if any of the following conditions exist:

• A certificate file for one of the intermediate certificates exists on the appliance.
• The key is placed before the server certificate in the file.
• An intermediate certificate is placed before the server certificate.
• Intermediate certificates are not in placed in the file in the same order as they are created.
• No certificates are present in the file.
• A certificate is not in the proper PEM format.
• The number of intermediate certificates in the file exceeds nine.

Add a certificate set by using the CLI

At the command prompt, type the following commands to create a certificate set and verify the configuration:

add ssl certKey <certkeyName> -cert <string> -key <string> -bundle (YES | NO)

show ssl

show ssl certlink
<!--NeedCopy-->